Internet and e-mail policy and practiceincluding Notes on Internet E-mail

Subscribe to this blog

04 Jul 2009

The DKIM standard has been out for two years now, and we're starting to
see some adoption by large mail systems, but there's still a lot of
misunderstanding about what DKIM does and doesn't do.

A DKIM signature means a message isn't spam

Any a mail system can add a signatures to the messages it handles,
and spammers can sign their mail, too.
A DKIM signature contains, stripped down to its basics, the domain
of the signer and a checksum of the message.
If you get a message with a valid DKIM signature, all you know is
that the the message you got was the same one that the signer signed,
since the checksum validates, and that the domain's management authorized
the signature, since there was a validation key in the domain's DNS.
The value of DKIM comes when you have a stream of messages signed by
the same domain.
If a domain has earned a reputation for signing good messages, for any
version of "good" you like, it's reasonable to expect subsequent signed
messages to be good, too, and vice versa.
The signature is only useful as a handle to recognize a message as
part of a group of signed mail.

A DKIM signature means the header information is "real"

Nope, it just means that the message you got was the message they
signed.
Once again, signers can sign anything they want.
Even if the signing domain is the same as the domain part of the
From: address, sometimes called a "first party" signature, there's
still no guarantee about the From: line other than that the one
you see is the one they signed.

Some signing domains may make a policy of only signing mail where the
From: address is verified, perhaps by knowing that the original sender logged
in with credentials linked to that address, but signing policy is deliberately
outside the scope of the DKIM spec.

DKIM doesn't work with mailing lists

There's two kinds of lists, announcement lists where all the mail is
from one sender, and discussion lists where subscribers send in messages
that are resent to all of the list members.
In both cases, the sensible thing for the list manager to do is to sign
the mail from the list.

The confusion arises from the possibility that mail sent to a discussion
list could already have a DKIM signature applied by the original sender's
system.
In most cases, mailing list software makes enough changes to messages
that the original DKIM signature won't validate any more.
Common changes such as adding the list name to the subject line, or adding
headers or footers to the mail, particularly if they're edited into the
HTML code of formatted mail, would break any existing signature.
A few old-fashioned list management programs (often used for technical
discussion lists, and hence disproportionately popular among the
members of the DKIM group) sometimes change messages so little that
list recipients could still verify the incoming signature as well as the
signature applied by the list, so a few people have claimed that this is
how to tell if mail sent to the list is "forged", and that list software
should all stop modifying messages so all signatures pass through.

This shows a fairly basic misunderstanding of what mailing lists do.
As opposed to forwarders, which blindly forward incoming mail from
one address to another and are just a transit point, a mailing list is
really both a destination for mail submitted to the list, and the
sender of list mail.
During the 40 years that there have been e-mail discussion lists,
list managers have developed a wide variety of mechanical and manual
means to decide
what submitted mail is passed through to the list, forged mail
to mailing lists has never been a significant problem, and there's
no reason to think that will change just because some of the mail
has signatures.

People subscribe to mailing lists because they want mail from the list,
and nobody I know does spam filtering on mail that they already know is from
lists they've subscribed to. (We may filter out mail from chronic bozos,
but that's not spam filtering, that's just looking for their addresses on
the From: line.) DKIM can be useful to list managers using incoming
signatures as one of the criteria to recognize mail from subscribers and
help decide what gets passed through to the list.
It's also useful to list recipients to help recognize mail from the list
using the list's signature.
Both ways, far from not working with lists, DKIM makes list management
and use easier and more reliable.

DKIM, lists and large domains How do you tell the difference between DKIM signature, particularly ADSP, invalid verifications and email list breakage on a many thousand user domain where you don't keep track of every user's mail list subscription habits? What DKIM filtering options should I use?

(by daniel
29 Sep 2009 08:27)

gfe consultants "People subscribe to mailing lists because they want mail from the list, and nobody I know does spam filtering on mail that they already know is from lists they've subscribed to. (We may filter out mail from "

i have to strongly disagree with this. the bayesians generally score mail from lists as very likely spam for several reasons just to name 2

i. not a valid from address
ii. a large list of recipients

since the spam filters and the list servers are not cooperating software (maybe not on the same domain/machine etc) one ends up whitelisting these lists manually (or with wildcards if groups hoster trustworthy).

i also infer you think a mail forwarder should sign mail recieved before sending on. a problem with this is the forwardee then might reply directly to the orginal sender from that forwarded machine domain etc. which no matter how good the rep of the forwarder would look suspicious ;

and in fact i saw many people drop those replies (no bounce) until i included the end domain into the forwarding domain's SPF record. Hence forwarder's BBW.

So as a dkim consultant i humbly admit i don't eat my own cooking (sometimes)

George Elgin
owner gfe consultants

(by george elgin
13 Dec 2009 23:33)

self-explanatory, no comment.

(by John R. Scott
27 Jan 2010 13:57)

How does SMTP server receive public key Regarding DKIM, the receiving SMTP server uses the name of the domain from which the mail originated, the string "_domainkey", and a selector from the DKIM-Signature field to perform a DNS lookup. The returned data includes the domain's public key.
How does SMTP server receive public key?

(by Ashish
26 Apr 2010 11:53)

spoofing question I've just started receiving spam signed by my own personal domain. I'd appreciate any comments you have about this. Is it a major concern, or just a new trend in email spoofing?

(by Andrew Harris
07 Oct 2011 18:58)

How do I get rid of Domain Keys I can't access any of my information that I sent to my e-mail. there is a small key that appears when I try to retrieve my work, How do I get rid of this